Code Signing Certificates
Information Technology Services (ITS) provides free Code Signing Certificates via the InCommon Certificate Service. Code signing certificates (also known as Software Publishing Certificates) can be used to digitally sign software executables and scripts. The digital signature can help users of the signed software to confirm that the software is genuine by authenticating the source of the software (i.e. who published it) and verifying the integrity of the content (i.e. the code hasn't been modified since signed).
Uses of Code Signing Certificates include:
- Microsoft Authenticode
- signing Java jar files
- signing Adobe AIR applications
Code Signing Certificates may be issued to employees on behalf of their University departments or units or in some circumstances as individual faculty and staff. Only one certificate will be allowed per individual at any given time. Since code signed through this process will be presented as from Cal Poly, certificates will only be issued to assist in publishing code that furthers the mission of the University.
To enforce a unique mapping of a single individual per certificate, ITS requires that a valid campus employee email address be provided and added to the certificate as the Subject Alternative Name. Although details such as email addresses will be listed on the certificate, most software used to verify Code Signing Certificates will only display the Common Name of the cert which will always be the Organization which is "California Polytechnic State University, San Luis Obispo".
Individuals responsible for a Code Signing Certificates must take appropriate measures to protect the certificate and associated keys, including but not limited to:
- the certificate and private key must be stored on a secure system that has access controls to limit use to only trusted individuals
- the private key must be protected by a password that has strong complexity and a minimum of 12 characters
- if the security of the Code Signing Certificate is breached in any way, the party responsible for the Code Signing Certificate must contact the Information Security Officer immediately
- if the individual or entity loses affiliation with the University (e.g. change in employment status for an individual, renaming or reorganization of department or unit), the certificate must no longer be used
Cal Poly's Information Security Officer may revoke a certificate if there is evidence of misuse or concerns regarding the security of its handling. In that event, the individual and their department will be notified and must immediately stop using the certificate.
The Information Security Coordinator must email a request for a code signing certificate to Certificate Service <email@example.com> with the following information:
- Full contact information for the individual faculty or staff person requesting the certificate, i.e., full name, campus email, campus phone, campus mailing address
- Brief statement about their plans for using the Code Signing Certificate, i.e., what is the rationale or purpose for requesting a certificate?
- ITS will review the request and contact the individual to discuss it further if necessary.
- If the request is approved, the email address listed in the request will be sent an email invitation to request a certificate. That email will provide a link (URL) to visit to accept the invitation and generate the cryptographic material needed for the certificate request. The private key will be added to the certificate store for the system (for IE users) or browser (for non-IE users) at this time, but a certificate has not yet been issued. Note that the invitation email will be sent only to the specified account so the individual must be able to access that account. Please see the notes below on phishing and browser choice.
- Comodo will review the request. The process usually takes less than one business day, but please allow for at least two business days. Comodo will then sign the certificate and issue it via a link in an email. Please note that the system/browser used for accepting the invitation must be the same as system/browser used for downloading the issued certificate. Please see the notes below on phishing and browser choice.
- Once accepted, the authorized user will have the only copy of the private key and should immediately create a password-protected backup of the certificate and keys. Most browsers will create that backup in PCKS#12 format. Store this in a safe place.
If at any time, there are questions about Code Signing Certificates, please email Certificate Service <firstname.lastname@example.org>.
Once you have received a Code Signing Certificate via email you can immediately begin signing and distributing your software. The typical process for signing code includes using a utility program (such as signcode.exe, codesign, or signtool) that does the following (at minimum):
- create a cryptographic hash of your software code
- encrypt the hash using your private key
- create a package containing your code, the encrypted hash, and your code signing certificate
The specific method for doing so varies according to what software and environment you are using and is outside the scope of this document; however here are some links to useful starting points to learn more:
- Comodo Knowledge Base: all entries for code signing certificates
- Comodo Knowledge Base: "Signing JAR Files"
- Comodo Knowledge Base: "Signing Adobe AIR Applications"
- MSDN Article "Introduction to Code Signing"
- How to sign a Mozilla extension or theme
The digital signature for your software can be valid beyond the lifetime of your Code Signing Certificate if you use timestamping. This service is provided by Comodo at the URL http://timestamp.comodoca.com/authenticode. For more information please see: Comodo Knowledge Base: "Timestamping"
The InCommon certificate service relies on clickable web links in email. Since that is a phishing hazard, please copy and paste the URL into a browser rather than click on the email and then review the URL prior to use. Please verify that the URL uses SSL (https not http) with a valid certificate and uses the cert-manager.com domain. If there are questions regarding the validity of an email, please contact Certificate Service <email@example.com> before proceeding.
The same system/browser used for accepting the invitation must be used for downloading the issued certificate. Comodo recommends using Windows and Internet Explorer for the process of generating a certificate signing request and downloading an issued certificate, but IE is not required. Please note that if IE is not used, the downloaded certificate will be located only in the certificate store for that browser. In any case, a user can export the certificate to move it to the appropriate certificate store. Also note that the Google Chrome browser is not supported and will not work.